Pedro,
I use the following iptables rules on my router (this will work for any console-based connection using TCP):
# DROPS MULTIPLE SSH CONNECTIONS FROM SAME IP iptables -t filter -I FORWARD -p tcp --syn --dport 22 -i tunl0 -m connlimit --connlimit-above 5 -j DROP
# DROPS MULTIPLE SSH ATTEMPTS FROM SAME IP WITHIN FIVE MINUTES iptables -t filter -I FORWARD -p tcp --dport 22 -i tunl0 -m state --state NEW -m recent --name sshconnect --update --seconds 300 --hitcount 5 -j DROP
iptables -t filter -I FORWARD -p tcp --dport 22 -i tunl0 -m state --state NEW -m recent --name sshconnect --set
The first rule drops any connections greater then five. The last two rules mark and drop more than five attempts from the same IP, for a period of five minutes. You may wish to increase the time frame. I've also added rules to block IPs that attempt to connect (or portscan) on certain TCP and UDP ports (3389/tcp, 123/udp and 161/udp are common, for example) for which I not post services as available to the AMPR Community or the Public Internet connection.
In essence, even if an unauthorized person discovered the the port without being firewalled by the portscan rule, they only get 5 chances, with up to 5 concurrent connections at any given 5 minute interval (the amount of attempts vary by implementation of server and client; but once portscanned or disconnected from a given series of attempts, it counts at one connection). Each reattempt after 5, restarts the 5 minute clock.
I also block Bogon IP addresses from entering tunl0:
# DROPS BOGONS ENTERING AMPRNet # SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt iptables -t raw -I PREROUTING -s 0.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 10.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 100.64.0.0/10 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 127.0.0.0/8 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 169.254.0.0/16 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 172.16.0.0/12 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.0.0.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.0.2.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 192.168.0.0/16 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 198.18.0.0/15 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 198.51.100.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 203.0.113.0/24 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 224.0.0.0/4 -i tunl0 -j DROP iptables -t raw -I PREROUTING -s 240.0.0.0/4 -i tunl0 -j DROP
I should note that in addition to this, console-based connections that I use for administration only are moved to non-standard ports. So I added another layer of protection with Security Through Obscurity (hence a portscan rule).
73,
Lynwood KB3VWG